EU Working Party Issues Statement on CJEU’s Invalidation of Safe Harbor Framework

The European Court of Justice’s (CJEU) recent decision striking down the EU-US Safe Harbor framework has created significant marketplace uncertainty and left companies scrambling for alternative cross-Atlantic data transfer mechanisms.

The Article 29 Working Party, an influential advisory body comprising member state privacy regulators, has lent a measure of calm to the chaos. In a statement released on Friday, October 16, the body made the following two key points:

First, “data protection authorities consider that Standard [Model] Contractual Clauses and Binding Corporate Rules can still be used” to lawfully transfer data from the EU to the US. Use of these mechanisms does not immunize a company from regulatory investigation or enforcement that may arise from complaints or privacy lapses. Rather, the statement recognizes that model clauses and BCRs continue to be legitimate cross-border transfer mechanisms while the Working Party continues its analysis of the impact of the CJEU judgement. We can expect further guidance from the Working Party on the validity of various transfers mechanisms in due course.

Second, if EU/US regulators fail to resolve the Safe Harbor quandary by the end of January 2016, then EU data protection authorities will “take all necessary and appropriate actions” to uphold the law, possibly including “coordinated enforcement actions.” While the Working Party’s statement is not binding on any EU DPA, it is entirely consistent with the sudden, impractical burden that would otherwise be placed on companies who had relied on Safe Harbor. As we noted in our earlier client alert, the logical course is for DPAs to provide some grace period before enforcing the CJEU’s decision.

The chaos reached a boiling point earlier in the week when the DPA of Schleswig-Holstein, a DPA in Northern Germany, published a position paper effectively arguing that no mechanism existed to lawfully permit the transfer of data to the US. According to this particular DPA, even Model Clauses and BCRs clauses are inadequate. This view seems challengeable and is not the majority view held by all DPAs in Europe, as evidenced by the Working Party’s statement. And, indeed, the S-H DPA’s position is precisely why the Working Group strongly urged that the EU and US government collaborate to bring order and predictability to this critical global commerce issue in the next 3.5 months by the end of January 2016.

Upcoming live webinar! Don’t miss the opportunity to join @Orrick on 12 May 2020 (13:00 UTC), as speakers will provide expert insight into the lifecycle of a data breach from a privacy and cybersecurity perspective. Find out more and register for free here bit.ly/2YzYnPuRetweeted by
Orrick Trust Anchor